Foundations of Cryptography Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem Lecturer: Moni Naor

Recap of last week’s lecture Black-box zero-knowledge Perfect and Statistical Zero-knowledge Limitations and relaxations Proofs of knowledge Public-key identification Random oracles Interactive Authentication

Interactive Authentication P wants to convince V that he is approving message m P has a public key KP of an encryption scheme E. To authenticate a message m: V  P: Choose r 2R {0,1}n. Send c=E(m ° r, KP) P  V: Receiving c Decrypt c using KS Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he chose

Is it Safe? security: Existential unforgeability against adaptive chosen message attack Adversary can ask to authenticate any sequence of messages m1, m2, … Has to succeed in making V accept a message m not authenticated Has complete control over the channels Intuition of security: if E does not leak information about plaintext Nothing is leaked about r if E is semantically secure against chosen plaintext attacks: Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP) Malleability not sufficient to verify correct form of ciphertext in simulation Closer to a chosen ciphertext attack “just”

Encryption - Attacks Chosen Plaintext Minimal attack relevant to PKCs. Assumes decrypted messages remain secret. CCA1: Chosen Ciphertext - preprocessing mode (Lunch-break) Challenge ciphertext is given after adversary relinquishes control of decryption device. Good model for membership queries in computational learning. CCA2: Chosen Ciphertext - postprocessing mode Challenge ciphertext is known when the attacks takes place but cannot submit it!

Encryption - Notions of Breaking Semantic Security: whatever is computable about the plaintext given the ciphertext is computable without it. Minimal notion of security for single encrypter. Non-malleable security - whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it. Important for achieving independence of messages.

Application: auctions Bidders submit their bids Highest one should win Want to keep values secret until all bids submitted independent

Example: Auctions Different requirements - different notions. Semantic security is not sufficient for guaranteeing the independence of bids. If key is used for a Single auction and secrecy is not required after the auction is over – Non-malleable security against chosen plaintext attacks. If key is used for many auctions and secrecy is not required after the auction is over – Non-malleable security against Chosen Ciphertext Attack in the preprocessing mode. If key is used for many auctions and secrecy is required after the auction is over Chosen Ciphertext Attacks in the postprocessing mode.

 PrR(X,A(E(X)) - PrR(X,A’())   Semantic Security Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does not see the encryption of X, A selects: Distribution Dn on 0,1n Relation R(X,Y) - computable in probabilistic polynomial time For every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all pptm relation R for XR Dn  PrR(X,A(E(X)) - PrR(X,A’())   is negligible In other words: The outputs of A and A’ are indistinguishable even for a tester who is aware of X

A: Dn A’: Dn X 2R Dn E(X) . A A’ X Y X Y R R ¼

Non-Malleable Security Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does not see the encryption of X A selects: Distribution Dn on 0,1n Relation R(X,Y) - computable in probabilistic polynomial time For every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all pptm relation R for XR Dn  PrR(X,D(A(E(X))) - PrR(X, D(A’()))   is negligible In other words: The outputs of A and A’ are indistinguishable even for a tester who gets the decryptions of what they output. Encrypt

¼ A: Dn A’: Dn X 2R Dn E(X) . A A’ Y Y X D X D R R Deal with invalid ciphertext Y Y X D X D R R ¼

Combinations All combinations are useful in some circumstances CPA CCA1 (lunch-time) CCA2 (post-processing) Attack Breaking Semantic Security Non- Malleability All implications are proper

Principles for Increasing Security Essentially all constructions achieving better than se- mantic security against chosen plaintext attacks use: Redundancy in the encryption. Validation that ciphertext is of the right form. Validation is the trickiest part. Relatively simple in: Private-key Encryption Random Oracles

Private-key World Preventing CCA in the postprocing mode: add private-key authentication. Shared key: S1 and S2, seeds to a pseudo-random function F To encrypt m Choose random r. Let Y=FS1(r) © m and let Z= FS2(r ◦Y) Send (r,Y,Z) To decrypt (r,Y,Z): let Z’ = FS2(r ◦Y) . If Z’ = Z let m = FS1(r) © Y If Z’ ≠ Z output invalid Claim: scheme is NM-secure against CCA2 No adversary can generate another ciphertext that is not labeled invalid. No information from rejection!

DDN Lite: The Idea Start with a Semantic secure PKC against CPA. Have many different instances of the original scheme Each encryption should use a different subset of the keys – enforce by one-time signatures. Before decryption - verify consistency. Properties: If the original scheme is SS against chosen plaintext attack the result is NM-secure against chosen plaintext attacks. If the original scheme is S-secure against CCA in the preprocessing mode, the result is NM-secure against CCA in the preprocessing mode.

DDN Lite Public-Key: hK10, K11i, hK20, K21i, … hKn0, Kn1i Each is the public key of a SS PKC DDN Lite Public-Key: hK10, K11i, hK20, K21i, … hKn0, Kn1i A function h:{0,1}*  {0,1}n - UOHWF Private-Key: Decryption keys of {Kib}. Encryption of a message m: Choose at random KOS, the public-key of a one-time signature scheme Let b1, b2, … bn = h(K). Encrypt m using keys Kibi to obtain C1, C2, …, Cn. Sign hC1, C2, … Cni using KOS-1 and h; Ciphertext is: KOS, hC1, …, Cni, S. Decryption of ciphertext KOS, C1, … Cn, S Verify the signature S on hC1, C2, … ,Cni using KOS. Verify the consistency (equality) of all the plaintexts. Decrypt using any one of the keys. hard to find collision with target input Let S be the result

Ideas for achieving resistance to CCA Add redundancy - hard to generate frivolous ciphertexts Add methods to check consistency This is the trickiest part: Non interactive zero-knowledge Specific schemes Decrypt only if given ciphertext passes the consistency checks Important point: may decrypt with several different private keys C1 C2 Proof of consistency If we have consistency than can decrypt with either key

Proofs of consistency How to have a proof of consistency that does not leak the plaintext Non-Interactive Zero-Knowledge (NIZK) How to make the proof itself non-malleable Ow can change it and get a different ciphertext with the same plaintext

Approaches for obtaining CCA/NM General NIZK Specific NIZK Cramer-Shoup: special verifier Through IBE – Identity Based Encryption

x is called the discrete log of y to base g. Discrete Log Problem Let G be a group and g an element in G. Let y=gz and x the minimal non negative integer satisfying the equation. x is called the discrete log of y to base g. Example: y=gx mod p in the multiplicative group of Zp In general: easy to exponentiate via repeated squaring Consider binary representation What about discrete log? If difficult, f(g,x) = (g, gx) is a one-way function DL Assumption for group G: No efficient algorithm can solve for XR[0..n-1] whp the DL problem for Y=ga

Discrete Log Problem Very useful group for DL: P and Q: Large primes, s.t. Q | P-1 g: an element of order Q in ZP*. Best known algorithms - Q or subexponential in log P Randomized reduction: given Y generate Y’ = Ygr for rR [Q]

Diffie-Hellman The Diffie-Hellman assumption Let G be a group and g an element in G. Given g, X=ga and Y=gb it is hard to find Z=gab for random a and b the probability of a poly-time machine outputting gab is negligible More accurately: a sequence of groups Don’t know how to verify whether given Z’ is equal to gab

Decisional Diffie-Hellman Problem For for generator g of a group of size Q and a,b [Q] Given g, Y=ga, X=gb and Z decide whether Z =gab or Z  gab Equivalent: is logg Y = logX Z DDH-Assumption: The DDH-Problem is hard in the worst case.

Average DDH For a,bR [Q] and c which is either Given decide whether c= ab cR [Q] Given Y=ga and X=gb and Z =gc decide whether Z =gab or Z gab DDH-Assumption average case: The DDH-Problem is hard for above distribution

Worst to Average case reduction Theorem:The average case and worst case of the DDH-Assumption are equivalent. Given ga and gb and gc (and P, Q) Sample r,s1,s2R [Q] compute ga’ = (ga)r gs1 gb’ = (gb) gs2 gc’ = (gc)r (ga)rs2 (gb)s1 gs1s2 c is either ab or not a’ = ras1 mod Q b’ = bs2 mod Q a’b’=rab+ras2+bs1+s1s2

…Worst to average If c = abe mod Q then a’ = ras1 mod Q b’ = bs2 mod Q c'= a'b'+ e r mod Q Always: a’ and b' are uniformly distributed. If e =0, then c' = a'b'. Otherwise c' is uniform and independent in [Q] a’ = ras1 mod Q b’ = bs2 mod Q a’b’=rab+ras2+bs1+s1s2

Evidence to Validity of DDH Endured extensive research for DH search DH-search related to discrete log Hard for generic algorithms that work in a black-box group) Computing the most significant bits of gab is hard Random-self-reducibility.

El-Gamal Cryptosystem variant: Subgroup of size Q Private key a R [Q] Public key Y=ga and P, Q and h To encrypt M choose rR [Q] compute X=gr and Yr send hX , h(Yr)Mi To decrypt hX, Wi: compute Xa = Yr and output h(Xa)  W h {0,1}k ZP How is h chosen? Pair-wise independence suffices

El-Gamal Security Under the DDH assumption cryptosystem is semantically secure against chosen plaintext but... Scheme is malleable To change M to M’=MC : change hX, Wi to hX, WCi

Proving consistency of exponentiations generators Given g1, g2, X1 , X2 Is there is an r where X1=g1r and X2=g2r Honest verifier zero-knowledge proof: Verifier sends Z = g1b1 g2b2 for random b1, b2 Prover sends V = Zr Verifier accepts iff X1b1X2b2 = V Simulator: choose random b1, b2 and output (g1b1 g2b2 , X1b1 X2b2 ) Leaks only a linear equation for b1 and b2

Proving consistency of exponentiations Given g1, g2, X1 , X2 Is there is an r where X1=g1r and X2=g2r Honest verifier zero-knowledge proof: Verifier sends Z = g1b1 g2b2 for random b1, b2 Prover sends V = Zr Verifier accepts iff X1b1X2b2 = V Soundness: if X1=g1r and X2=g2r+e then X1b1X2b2 = g1rb1  g2(r+e)b2 = g1rb1  g2rb2  g2eb2 = Zr  (g2e ) b2 Z can be known when X1 and X2 are chosen! Leaks only a linear equation for b1 and b2 Random in the group

Cramer-Shoup Lite Private key: a, b1, b2 R [Q] Public key: g1, g2, Y=g1a and Z=g1b1 g2b2 To encrypt M choose rR [Q] compute Yr, X1=g1r, X2=g2r and Zr send hX1, X2, h(Yr)M, Zri To decrypt hX1, X2, W, Vi check validity: X1b1  X2b2 =  V and if yes compute X1a = Yr. Output h(Yr)W

Cramer-Shoup Complexity Encryption: 4 modular exponentiations Decryption: 3 modular exponentiations

Cramer Shoup Security Under the DDH assumption cryptosystem is semantically secure against chosen plaintext Show that the scheme secure against chosen ciphertext attacks (preprocessing) but... Scheme is malleable To change M to M’=MC change hX, Wi to hX,WCi

Chosen Ciphertext Attacks - Lunchtime Adversary T has temporary access to decryption oracle. Then it is given a challenge Semantic security - adversary chooses two message hM0, M1i For dR0,1 it is given E(Md) and has to guess d. Let pd  PrT(E(Md )) ‘1’  d  T Wins if p1 - p0  

Proof of security Show how to use an adversary that can break CS scheme for breaking DDH Given hg1, g2, X1, X2i want to distinguish X1=g1r , X2=g2r for rR [Q] and random g1, g2 or X1=g1r1, X2=g2r2 for r1, r1 R [Q] and random g1, g2

...Proof of security - simulation Given hg1, g2, X1, X2 i generate Private key a1, a2, b1, b2 R [Q] and Public key hg1, g2, Y = g1a1 g2a2, Z=g1b1g2b2 i To decrypt hX’1, X’2 , W, V i check X’1b1X’2b2 =  V and if pass compute X’1a 1  X’2a2 = Yr . Output h(Yr)W Normal operation, independent of X1, X2

...Proof of security - simulation When adversary chooses hM0 , M1i: Generate For dR0,1 the ciphertext hX1, X2 , h(X1a1  X2a2 )  Md , V = X1b1  X2b2i Claim: If logg1X1 = logg2X2 then ciphertext is valid If logg1X1  logg2X2 then ciphertext is inconsistent and independent of d

Important property of scheme For both real and simulated scheme: no (even powerful) adversary can find an inconsistent ciphertext that is considered `valid’. Key point: b1 and b2 are random in [Q]. Z=g1b1g2b2 reveals one linear equation still Q possibilities for (b1, b2 ).

Inconsistent = Invalid Each candidate ciphertext hX’1, X’2,W’,V’i such that logg1X1  logg2X2 can be viewed as a query on value (b1, b2 ). With probability 1-1/Q the answer is invalid Whp (1-q/Q) adversary never gets decryption on invalid ciphertext No ``information” from rejection!

No decryption of consistent ciphertext reveals information regarding a1, a2 Y=g1a1g2a2 reveals one linear equation decryptions do not reveal more equations The only inconsistent ciphertext that adversary sees is the challenge ciphertext.  If logg1X1  logg2X2 then ciphertext is invalid and independent of d

p’  PrT ‘1’  ciphertext is invalid   p1 - p0    either Let p0  PrT(E(M0 )) ‘1’  d  0  p1  PrT(E(M1 )) ‘1’  d  1  p’  PrT ‘1’  ciphertext is invalid   p1 - p0    either  p1 - p’ /2 or  p0 - p’ /2  Can distinguish DDH with advantage /2

Cramer-Shoup: Full Strength Private key: a, b1, b2, c1, c2 R [Q] Public key: g1, g2, Y=g1a, Z=g1b1 g2b2, Z’=g1c1 g2c2 and H To encrypt M, choose rR [Q] and compute Yr, X1=g1r, X2=g2r, W = h(Yr)M  =H(W, X1 , X2 ) send hX1, X2 ,W, Zr Z’ri To decrypt hX1, X2, W, Vi check validity: X1b1 + c1  X1b2 + c2 =  V and if pass compute X1a = Yr. Output h(Yr)W A UOWHF One-way hash

Cramer Shoup (full strength) Security Under the DDH assumption cryptosystem is non-malleable against chosen ciphertext attacks in postprocessing mode

Conclusions The CS scheme is within a multiplicative constant of ``vanilla” Diffie-Hellman, yet enjoys provable resistance to CCA Authentication: given CCA resistance - the only known Diffie-Hellman based public-key authentication - can be used for deniable authentication

Interactive Authentication P wants to convince V that he is approving message m P has a public key KP of an encryption scheme E. To authenticate a message m: V  P: Choose r 2R {0,1}n. Send c=E(m ° r, KP) P  V: Receiving c Decrypt c using KS Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he choose

Is it Safe? Want: Existential unforgeability against adaptive chosen message attack Adversary can ask to authenticate any sequence m1, m2, … Has to succeed in making V accept a message m not authenticated Has complete control over the channels Intuition of security: if E does not leak information about plaintext Nothing is leaked about r Several problems: if E is “just” semantically secure against chosen plaintext attacks: Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP) Malleability not sufficient to verify correct form of ciphertext in simulation Closer to a chosen ciphertext attack

No receipts Can the verifier convince third party that the prover approved a certain message?

Authentication and Non-Repudiation Key idea of modern cryptography [Diffie-Hellman]: can make authentication (signatures) transferable to third party - Non-repudiation. Essential to contract signing, e-commerce… Digital Signatures: last 25 years major effort in Research Notions of security Computationally efficient constructions Technology, Infrastructure (PKI), Commerce, Legal

Is non-repudiation always desirable? Not necessarily so: Privacy of conversation, no (verifiable) record. Do you want everything you ever said to be held against you? If Bob pays for the authentication, shouldn't be able to transfer it for free Perhaps can gain efficiency Alternative: (Plausible) Deniability If the recipient (or any recipient) could have generated the conversation himself or an indistinguishable one

Deniable Authentication Setting: Sender has a public key known to receiver Want to an authentication scheme such that the receiver keeps no receipt of conversation. This means: Any receiver could have generated the conversation itself. There is a simulator that for any message m and verifier V* generates an indistinguishable conversation. Exactly as in Zero-Knowledge! An example where zero-knowledge is the ends, not the means! Proof of security consists of Unforgeability and Deniability

Ring Signatures and Authentication Can we keep the sender anonymous? Idea: prove that the signer is a member of an ad hoc set Other members do not cooperate Use their `regular’ public-keys Encryption Should be indistinguishable which member of the set is actually doing the authentication Bob Alice? Eve

A Public Key Authentication Protocol P has a public key PK of an encryption scheme E. To authenticate a message m: V  P : Choose r R {0,1}n and random bits 2{0,1}* Send Y=E(PK, m°r, ) P  V : Verify that prefix of plaintext is indeed m. If yes - send r. V accepts iff the received r’=r Is it Unforgeable? Is it Deniable

We saw an encryption scheme satisfying the desired requirements Security of the scheme Unforgeability: depends on the strength of E Sensitive to malleability: if given E(PK, m°r, ) can generate E(PK, m’°r’, ’) where m’ is related to m and r’ is related to x then can forge. The protocol allows a chosen ciphertext attack on E. Even of the post-processing kind! Can prove that any strategy for existential forgery can be translated into a CCA strategy on E Works even against concurrent executions. Deniability: does V retain a receipt?? It does not retain one for an honest V Need to prove knowledge of r We saw an encryption scheme satisfying the desired requirements

Simulator for honest receiver Choose r R {0,1}n. Output: hY=E(PK, m°r, ), x,  i Has exactly the same distribution as a real conversation when the verifier is following the protocol Statistical indistinguishability Verifier might cheat by checking whether certain ciphertext have as a prefix m No known concrete way of doing harm this way

Encryption as Commitment When the public key PK is fixed and known Y=E(PK, x, ) can be seen as commitment to x To open x: reveal , the random bits used to create Y Perfect binding: from unique decryption For any Y there are no two different x and x’ and  and ’ s.t. Y=E(PK, x, ) =E(PK, x’, ’) Secrecy: no information about x is leaked to those not knowing private key PS

Does not want to reveal it yet Deniable Protocol P has a public key PK of an encryption scheme E. To authenticate message m: V  P: Choose xR{0,1}n. Send Y=E(PK, m°x , ) P  V: Send E(PK, x, ) V  P: Send x and  - opening Y=E(PK, m°x, ) P  V: Open E(PK, x, ) by sending . P commits to the value x. Does not want to reveal it yet

Security of the scheme Unforgeability: as before - depends on the strength of E can simulate previous scheme (with access to D(PK , . )) Important property: E(PK, x, ) is a non-malleable commitment (wrt the encryption) to x. Deniability: can run simulator: Extract x by running with E(PK, garbage, ) and rewinding Expected polynomial time Need the semantic security of E - it acts as a commitment scheme

Ring Signatures and Authentication Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set Other members do not cooperate Use their `regular’ public-keys Should be indistinguishable which member of the set is actually doing the authentication Bob Alice? Eve

Ring Authentication Setting A ring is an arbitrary set of participants including the authenticator Each member i of the ring has a public encryption key PKi Only i knows the corresponding secret key PSi To run a ring authentication protocol both sides need to know PK1, PK2, …, PKn the public keys of the ring members ...

An almost Good Ring Authentication Protocol Ring has public keys PK1, PK2, …, PKn of encryption scheme E To authenticate message m with jth decryption key PSj: V  P: Choose x {0,1}n. Send E(PK1, m°x, r1), E(PK2, m°x, r2), …, E(PKn, m°x, rn) P  V: Decrypt E(PKj, m°x, rj), using PSj and Send E(PK1, x,  1), E(PK2, x, 2), …, E(PKn, x, n) V  P: open all the E(PKi, m°x, ri) by Send x and r1, r2 ,… rn P  V: Verify consistency and open all E(PKi, x, ti) by Send t  1, 2 ,… n Problem: what if not all suffixes (x‘s) are equal

The Ring Authentication Protocol Ring has public keys PK1, PK2, …, PKn of encryption scheme E To authenticate message m with jth decryption key PSj: V  P: Choose x {0,1}n. Send E(PK1, m°x, r1), E(PK2, m°x, r2), …, E(PK1, m°x, rn) P  V: Decrypt E(PKj, m°x, rj), using PSj and Send E(PK1, x1, t1), E(PK2, x2, t2), …, E(PKn, xn, tn) Where x=x1+x2 +  xn V  P: open all the E(PKi, m°x, ri) by Send x and r1, r2 ,… rn P  V: Verify consistency and open all E(PKi, x, ti) by Send t1, t2 ,… tn and x1, x2 ,…, xn

Complexity of the scheme Sender: single decryption, n encryptions and n encryption verifications Receiver: n encryptions and n encryption verifications Communication Complexity: O(n) public-key encryptions

E(PK1, x1, t1), E(PK2, x2, t2),…,E(PK1, xn, tn) Security of the scheme Unforgeability: as before (assuming all keys are well chosen) since E(PK1, x1, t1), E(PK2, x2, t2),…,E(PK1, xn, tn) where x=x1+x2 + L xn is a non-malleable commitment to x Source Hiding: which key was used (among well chosen keys) is Computationally indistinguishable during protocol Statistically indistinguishable after protocol If ends successfully Deniability: Can run simulator `as before’

Properties of the Scheme Works with any good encryption scheme - members of the ring are unwilling participants. Fairly efficient scheme: Need n encryptions n verifications and one decryption Can extend the scheme so that convince a verifier that At least k members confirm the message. What are the social implications of the existence of ring authentication?

Sources Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J. computing 2000. also Siam Review 2003 Cramer and Shoup: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack (see www.shoup.net) Lindell: A Simpler Construction of CCA2-Secure Public-Key Encryption Under General Assumptions. In Eurocrypt 2003,

Question: zero-knowledge protocol for subset sum Give a direct protocol (i.e. not through a reduction to hamiltoncity) for the subset sum problem Subset sum problem: given n numbers 0 ≤ a1, a2 ,…, an < 2m Target sum T Is there a subset S⊆ {1,...,n} such that ∑ i S ai,=T mod 2m

Inner product over GF[2] Question: statistically hiding, computationally biding commitments from collision intractable hash functions Goal: construct a commitment scheme where the induced distribution of the transcript is (nearly independent of the string committed to No PPT sender can with probability (1-negligible) reveal two different strings following the commit phase. Protocol for committing to a bit b. Let H be a family of collision intractable hash functions Commit: Receiver: choose h 2 H and give to sender Sender: choose random z and r. Send h(z),r and hz¢ri©b Reveal: publish z Prove that the protocol satisfies the above requirements Inner product over GF[2]

h,KP,E(KP,x),h(x ◦ E(Kp,x)) Find the error Let E be an public-key encryption scheme which is errorless. Let H be a family of collision intractable hash functions Commit: Sender chooses Key for E(KP,KS) and h 2 H and sends h,KP,E(KP,x),h(x ◦ E(Kp,x)) Reveal: publish KS Show that there exists a family H be a family of collision intractable hash functions such that the scheme is insecure for any E. Assuming collision intractable hash functions exists